HaX0red

So get this.

Back in January, as I mentioned at the time, I cancelled my WoW account.  Actually, that should be accounts (plural) because, like many gamers, I always had a couple.  One was my "main" account, and the other was used either by my wife (on the uncommon occasions when she played) or by me for mule characters and the like.  Anyway, cancelled them both back in January.

So, imagine my surprise when my wife forwarded to me an e-mail she'd gotten last week (note well:  "last week" as in "late April") from Blizzard saying that her account had been banned, for disruptive activities or somesuch similar nonsense.  When she first told me about it, my first reaction was that it surely was some kind of phishing attempt.  But when I read the actual e-mail, it looked real and didn't ask for anything.  Then, when I tried to log in to the account through their website, I discovered that the message was legit.

Banned!  Accused of buying/selling game items for "real world" money!

I'm going to try to make a long story short here, so I'll gloss over some of the details.  I immediately sent Blizzard an e-mail saying, in essence, "no WAY!!!11!"; a few days passed; they must have believed me or whatever; the account got reinstated; I was able to log on to their account management website.  I then discovered that the account had in fact been reactivated about a week earlier by someone using a free Burning Crusade 10-day trial (like I said, she never played too much, so BC was never activated on that account).  There were a couple (literally) of days left on the trial, so I logged in (after sitting through the inevitable/interminable patching process) and discovered a new character (i.e., one that I am certain neither my wife nor I created) holding a fair amount of coin (with a lot more in its mailbox from the Auction House) and piles and piles and piles of mithril and gold ore.  Some of the pre-existing (i.e., legitimate) characters on the account also had piles of mithril ore in their mailboxes too.

Seeing all of that demonstrates conclusively that this wasn't just some kind of weird glitch in Blizzard's system.  Rather, some person actually got access to our account and used it for apparently (and in Blizzard's opinion, definitely) nefarious purposes.  I'm going to call that right there about the damnedest thing I've ever had happen to me (or someone I directly know) relating to computer or online account security.

Whoever used the free trial to reactivate the account had to have two pieces of information:  the account name and the associated password.  The name:  fine.  It's an e-mail address.  Not a "main" address, or even one that's commonly used, but still.  Not exactly super-secret information.  But the PW?  What the hell?  I knew it, my wife knew it, and that should have been it.  I know with absolute certainty that we never shared a WoW password with any third party, either intentionally or by falling for some kind of scam.  We aren't exactly airheads about that kind of thing.  She even works in a field where computer security is of extreme importance, for crying out loud.

I'd pay a fair amount of money to know how this happened, but I'm sure I never will.  So, I will remain more or less beside myself in the near term, and wonder what other pieces of our personal security may have been compromised as well.